Why can't hackers just brute-force word combinations? If there are 170k English words, and 95 possible password characters, then it seems to me that 170,000^3 ~= 95^8 so a 3-word English phrase would only be about as safe as an 8-character random string.
But, that is formidable: using three dictionary words, you have something that is as secure as 8 characters, those being chosen from the full set of 95 non-blank ASCII glyphs!
It's likely way easier to memorize, not to mention type.
Though, by the same lexical token, it's worth acknowledging that words from a 170,000 dictionary will include some difficult ones that are not in the user's vocabulary.
Say we use a 30,000 dictionary of common words, and make the password four words. You know, like correct-horse-battery-staple. Wow, I remembered that.
If you need one password, yes. However, most people have accounts on hundreds of sites. And you’re supposed to not reuse. That means you have to remember a unique combination of N words per site. I’m not convinced this is any better than choosing a 20-32 digit password from a secure RNG and storing it in a password manager.
Reusing a complex password (especially in multiple places) is almost as bad as using a weak password, but that seems inevitable given all the accounts a person uses these days if they refuse to use a password manager. In other words, do you think you'll have better luck remembering hundreds of three-word phrases? Or will you reuse your phrase everywhere and make yourself vulnerable?
Yes, it is definitely easier to remember hundreds of three word phrases. If you know the lyrics to stairway to heaven, you can remember a little under 1000 unique three word phrases. How many song lyrics, movie quotes, pieces of trivia, names, etc can you recall? The human mind is well optimized for compressing and storing phrases composed of words, as opposed to random alphanumeric sequences.
Randomly chosen three word combinations are not "phrases" in the linguistic sense, though they certainly are "pass phrases". I think we are sliding into equivocation over multiple meanings of the word "phrase".
There is a difficulty there that should be acknowledged.
For that, I'd strongly recommend simplifying your life to a dependency on fewer than 10 password-protected sites.
(Or, for Pete's sake, at least try to keep it to "a few dozen", not "hundreds".)
If you have hundreds of passwords, how many of those are critically important? I bet you could partition all those accounts into two groups: fewer than 10 that are important, and the rest. The passwords for the rest group could be heavily reused.
Like, you know that password you created on some blog site three years ago (which for some reason didn't support Google or Facebook login) just to write one comment? Who cares about it.
Ah, but one big reason people use password manager programs is that the passwords are simply too awkward to type by hand.
If you have passwords which you can easily touch type, because they are just words, then your password manager can be a 3x4 card in your wallet.
That card, rather than revealing the passwords, can just use some sort of shorthand mnemonics that only mean something to you. For instance, "correct battery horse staple" could just be noted down as a "CBHS", or some other idea.
Typable passwords are useful with any sort of manager that doesn't enter passwords for you. E.g. a hardware device with a display that just shows you the password. Such a thing will work in circumstances when you're not able to run your password manager for whatever reason.
Most people’s passwords are 10-ish character not-totally-random strings, so that would actually be an improvement. Now bump it to four words like the xkcd comic actually says and you’ve got a stew goin’.
Yeah, just a pure word combination probably isn't enough. However, if you add in a little leatspe4k and maybe some dashes-between-words and a cApitalization or two the number of possible combinations skyrockets and the password stays pretty easy to remember
Certainly not if the complex variation is just as long, right?
About 15 years ago I got bit by the common mistake of reusing the same password everywhere, it was my email account and I can't believe I caught it in time before they changed the password or did anything to get my account banned. From then on, I remember just one complex password, the one for my password manager. Every site gets its own random password, as long and complex as they'll let me make it. If I get to pick a user name, I randomly generate that too, along with the answers to any security questions, which I keep in the notes section of the password manager.
Once you get entropy high enough, it's no longer the weak link in the chain. So sure, a 50 character long letter/number/symbol line-noise can have more entropy than a 6 word random passphrase, but it doesn't matter and has some drawbacks.
By the way, for security questions specifically, I'd recommend passphrases. Often there are protocols where you need to say the security question answer to a human and they need to verify it. You're not going to have a great time spelling out a bunch of nonsense letters, and there's also more chance someone would be able to talk customer service into "oh I don't know, I just typed random keys" or something. Your password manager can likely do passphrases for you as well so it's probably no harder.
What drives me crazy is that it doesn't matter how well I design my passwords if companies immediately sabotage them with their laughable "security" questions. "Pick one of these security questions carefully chosen for you by our marketing director's 4th grader: What was Mommy's maiden name? What was your first pet's name?..."
So now a hacker can just claim to have forgotten my password, google for the town I grew up in or mother's maiden name or try a list of the top 100 pet names, and not have to deal with my billion-year clever password at all. So they allow you to harden the front door's security as much as you like but require you to pick one of their six easy-access window designs for the side of the house just in case you (or anyone else) are unable to get through the front door.
I can improve security by providing the wrong answer, but then I'll have to record it and won't remember it if surprised by a challenge (on the phone for example). What I always want is the option to create my own security question, because I can design one that only makes sense to me but that I can reliably answer from memory.
Yeah, confirming that I did this to myself and realized in horror that anyone could have reset my password. So the only other option I see is to use real words that look plausible for the fields or to type in a message for support like “read this exactly letter for lettr”
I did that (provide a false answer) with a yahoo mail account and got myself locked out forever... when they introduced the security questions it was a measure to double check when changing the password. as i was using a password manager i just provided nonsense and didn't store it anywhere. years later yahoo decided to make it mandatory to enter the security question when logging in from a new device. no chance to get in there anymore...
You know what’s even better? Go to http://passwordsgenerator.net/, generate as many N-digit passwords as you want and store them in a password manager that’s reasonably sane (that way you can use a very large N). Google, Apple or Microsoft are going to be good ones because they already control your operating system and browser. There’s also a few other popular ones that may offer slightly more features/better organization if that’s important. Also turn on real 2fa (app or even better a U2F key).
No, this won’t really protect you from a very determined attacker. Then again, neither will using a password of three random words. The endless debates about the best password policy are counterproductive. At the point it matters, you haven’t designed your security robustly enough.
I usually add something else to ensure its unique because unlike in most TV/Movies, "Horse battery staple" and "Horse BAttery.Staple!" Are miles apart and any legit password cracking tool won't know that there was 20 common characters between the first and second example
Except good password guessing tools know that trick, and can easily uncover all your passwords if you’ve done that. They just have to find that one example before they can start trying this speed up.
Fantastic - and every site out there has a different set of password requirements that make introducing a strategy like this impossible. Password managers for the win!
I’m so glad I started using the open source password manager Bitwarden years ago and haven’t had to think about passwords since. It auto generates a random 20-40 character string of letters, symbols, and numbers for every account (right click an input > Bitwarden > generate pw) and auto-saves/fills it. Can also store passwords for security questions in named sub-fields. The only password I need to remember is my absurdly long and complex Master Password when I install it on a new device. Then it’s just a PIN or Face ID to enable autofill for a session. Even got my whole family on it and gave them a piece of paper with my Master PW in case I die or something.
33 comments
[ 2.1 ms ] story [ 87.7 ms ] threadIt's likely way easier to memorize, not to mention type.
Though, by the same lexical token, it's worth acknowledging that words from a 170,000 dictionary will include some difficult ones that are not in the user's vocabulary.
Say we use a 30,000 dictionary of common words, and make the password four words. You know, like correct-horse-battery-staple. Wow, I remembered that.
There is a difficulty there that should be acknowledged.
For that, I'd strongly recommend simplifying your life to a dependency on fewer than 10 password-protected sites.
(Or, for Pete's sake, at least try to keep it to "a few dozen", not "hundreds".)
If you have hundreds of passwords, how many of those are critically important? I bet you could partition all those accounts into two groups: fewer than 10 that are important, and the rest. The passwords for the rest group could be heavily reused.
Like, you know that password you created on some blog site three years ago (which for some reason didn't support Google or Facebook login) just to write one comment? Who cares about it.
If you have passwords which you can easily touch type, because they are just words, then your password manager can be a 3x4 card in your wallet.
That card, rather than revealing the passwords, can just use some sort of shorthand mnemonics that only mean something to you. For instance, "correct battery horse staple" could just be noted down as a "CBHS", or some other idea.
Typable passwords are useful with any sort of manager that doesn't enter passwords for you. E.g. a hardware device with a display that just shows you the password. Such a thing will work in circumstances when you're not able to run your password manager for whatever reason.
About 15 years ago I got bit by the common mistake of reusing the same password everywhere, it was my email account and I can't believe I caught it in time before they changed the password or did anything to get my account banned. From then on, I remember just one complex password, the one for my password manager. Every site gets its own random password, as long and complex as they'll let me make it. If I get to pick a user name, I randomly generate that too, along with the answers to any security questions, which I keep in the notes section of the password manager.
By the way, for security questions specifically, I'd recommend passphrases. Often there are protocols where you need to say the security question answer to a human and they need to verify it. You're not going to have a great time spelling out a bunch of nonsense letters, and there's also more chance someone would be able to talk customer service into "oh I don't know, I just typed random keys" or something. Your password manager can likely do passphrases for you as well so it's probably no harder.
So now a hacker can just claim to have forgotten my password, google for the town I grew up in or mother's maiden name or try a list of the top 100 pet names, and not have to deal with my billion-year clever password at all. So they allow you to harden the front door's security as much as you like but require you to pick one of their six easy-access window designs for the side of the house just in case you (or anyone else) are unable to get through the front door.
I can improve security by providing the wrong answer, but then I'll have to record it and won't remember it if surprised by a challenge (on the phone for example). What I always want is the option to create my own security question, because I can design one that only makes sense to me but that I can reliably answer from memory.
And voila, support person opens the door for you.
No, this won’t really protect you from a very determined attacker. Then again, neither will using a password of three random words. The endless debates about the best password policy are counterproductive. At the point it matters, you haven’t designed your security robustly enough.